user/group/ organization - samsung...

3 3 User/Group/Organization

User/Group/Organization 43

User/Group/OrganizationCreate user accounts in the Admin Portal directly or add them from existing employee information by synchronizing it with the Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) system. To enroll devices, a user account must be created in advance. After you creating a user account, the user can enroll their devices and log in to Knox Manage.

Also, users must belong to a group or an organization to be assigned profiles and have them applied. You can create a group of users or devices to manage simultaneously, and you can also manage users by organizations, which can be added in the Admin Portal or synchronized from your corporate directory server.

Assign & Apply Profiles

Group

Enroll Devices

Organization

User

or


This chapter explains the following topics:

→ Viewing the user list

→ Viewing the user details

→ Creating user accounts

→ Managing user accounts

→ Viewing the organization list

→ Viewing the organization details

→ Managing organizations

→ Viewing the group list

→ Viewing the group details

→ Creating groups of users or devices

→ Managing groups

→ Syncing user information with AD/LDAP

Viewing the user listNavigate to User to view all the user accounts registered in the Admin Portal on the “User” page. You can also perform specific functions to the selected user account among the list.

1

2

3


No. Name Description

1 Search fieldSearch for desired users by user ID, user name, user groups/organization, or user type.

2Function buttons

AddAdd a single user account. For more information, see Registering a single user account.

Bulk AddAdd bulk user accounts using a template. For more information, see Registering bulk user accounts.

Add via AD/LDAP

Add a single AD/LDAP user account or multiple user accounts at a time. For more information, see Registering a single AD/LDAP user account and Registering multiple AD/LDAP user accounts.

Device Command

Send device command requests to the user’s enrolled devices. For more information, see Sending device commands to users.

Send EmailSend templates or user notifications registered in Knox Manage to users via email. For more information, see Sending templates or user notifications to users via email.

Request Enrollment

Provide users with installation guides to allows users to enroll their devices. For more information, see Sending enrollment guides to users via email and SMS.

Change Status

Activate or deactivate the user account.

ModifyModify the selected user account details. For more information, see Modifying user account details.

DeleteDelete the selected user accounts. For more information, see Deleting user accounts.

3 User list View the brief information of the user accounts on the list.


Viewing the user detailsView each user’s details by clicking a user name on the user list. You can view the detailed information on the selected user account.

The following function buttons are available:

Function button Description

Change PasswordEnter a new password between 8 and 30 characters and confirm it. For more information, see Changing the user account password.

Reset PasswordReset the password. A temporary password will be sent to the user via email.

Change Status Activate or deactivate the user account.

Send EmailSelect templates or user notifications registered in Knox Manage to send to the user via email. For more information, see Sending templates or user notifications to users via email.

Request EnrollmentSend enrollment guides via email or SMS, if the user has no enrolled devices. For more information, see Sending enrollment guides to users via email and SMS.

Function buttons in the footer

You can perform specific functions to the selected user using the function buttons in the footer. The following function buttons are available:


Back Return to the user list.

Delete Delete the selected user account.

Modify Modify the selected user account information.


Creating user accountsCreate a single user account directly in the Admin Portal or bulk users at a time using a template. You can also create user accounts from existing employee information by synchronizing it with the Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) system.

Registering a single user account

To register a single user account directly in the Admin Portal, complete the following steps:

1. Navigate to User.

2. On the “User” page, click Add.

3. On the “Add User” page, enter the following user information:

• User ID: Enter a user ID to log in to Knox Manage with for device enrollment.

• Password: Enter a password between 8 and 30 characters.– Click the checkbox next to Reset after Sign-in to allow users to change their password when

they first logged in.

• Confirm Password: Repeat the password.

• User Name: Enter the user’s full name.

• Email: Enter the user’s email address.

• Mobile Number: Select the country number and enter the user’s mobile number to send the URL address for device enrollment via SMS.

• User Group / Organization: Click Select, and in the “Select User Group / Organization” window, select the user group on the User Group tab and the organization on the Organization tab.

Note If you do not select an organization, the user will automatically belong to the “Undefined” organization.

• Android Manage Type: Select the Android enrollment type among Android Legacy, Android Enterprise, or Follow Organization Type.

Note The user’s Android manage type takes a higher priority than the organization’s Android manage type. Even if you move the user to a different organization, the Android enrollment type set for the users still applies to the users.


• AD/LDAP Sync: Allow the creating of user accounts from the AD/LDAP system. If AD/LDAP Sync is selected, the existing user information will be synchronized from the AD/LDAP system and registered to the Admin Portal.

Note To create AD/LDAP user accounts, you must connect AD/LDAP directory services with Knox Manage and add a sync service. For more information about adding a sync services, see Adding sync services.

• Tag: Click Add, and in the “Add Tag” window, enter new tags to add.

4. Click Save & Request Enrollment to save the user account and send an installation guide to help users enroll their devices.

• Click Save to create the user account and not send an installation guide to the user.

5. In the “Save User” window, click OK.

Registering bulk user accounts

To register bulk user accounts at a time, complete the following steps:


2. On the “User” page, click Bulk Add.

3. In the “Bulk Add Users” window, follow the guideline to download and fill out the Excel file template.

4. Click , and then select the complete Excel file template filled with the user information.

5. Click OK.

6. In the “Save User” window, click OK.


Registering a single AD/LDAP user account

To register a single AD/LDAP user account, complete the following steps:

Note Before registering AD/LDAP user accounts, you must connect AD/LDAP directory services with Knox Manage and add a sync service. For more information about adding a sync service, see Adding sync services.


2. On the “User” page, click Add via AD/LDAP.

3. In the “Select AD/LDAP Sync Type” window, select Single User Sync, and then click OK.

4. On the “Add User” page, enter the AD/LDAP user information:

• Sync target: Click Select to open the “Select Sync Target” window, select a sync service, and then search for users by user name. Select a user to add, and then click OK.

• User ID: The ID of the user that you selected as Sync target will appear here.

• DN: The unique Distinguished Name of the AD/LDAP object will be entered automatically.

• Password: Enter a password between 8 and 30 characters.– Click the checkbox next to Reset after Sign-in to allow users to change their password when

they first logged in.

• Confirm Password: Repeat the password.

• User Name: Enter the user’s full name.


• Mobile Number: Select the country number and enter the user’s mobile number to send the URL address for device enrollment via SMS.

• User Group / Organization: Click Select, and in the “Select User Group / Organization” window, select the user group on the User Group tab and the organization on the Organization tab.

Note If you do not select an organization, the user will automatically belong to the “Undefined” organization.


Note The user’s Android manage type takes a higher priority than the organization’s Android manage type. Even if you move the user to a different organization, the Android enrollment type set for the users still applies to the users.


• AD/LDAP Sync: Allow the creating of user accounts from the AD/LDAP system. If AD/LDAP Sync is selected, the existing user information will be synchronized from the AD/LDAP system and registered to the Admin Portal.


• You can also enter additional information such as employee number, display name, and department in the “Additional Information” area.

5. Click Save & Request Enrollment to save the user information and enroll the user at the same time.

• Click Save to only save the user information.

Registering multiple AD/LDAP user accounts

To register AD/LDAP user accounts at a time, complete the following steps:

Note Before registering AD/LDAP user accounts, you must connect AD/LDAP directory services with Knox Manage and add a sync service. For more information about adding a sync service, see Adding sync services.


2. On the “User” page, click Add via AD/LDAP.

3. In the “Select AD/LDAP Sync Type” window, select Multiple User Sync, and then click OK.

4. In the “Multi User Sync” window, select a sync service, and then search for users with their names.

5. Click the checkboxes for users to add, and then click OK.

• To delete the selected users on the selected users list, click .


Managing user accountsYou can view the detailed user account information, modify user account details, send enrollment guides or templates registered in Knox Manage to users via email and/or SMS, and delete user accounts.

Modifying user account details

To modify the user account details, complete the following steps:


2. On the “User” page, click the checkbox next to the user ID to modify the account details, and then click Modify.

3. On the “Modify User” page, modify the following user information if necessary:

• User Name: Modify the user’s full name.

• Email: Modify the user’s email address.

• Mobile Number: Modify the country number and the user’s mobile number to send the URL address for device enrollment via SMS.

• User Group / Organization: Click Select and then, in the “Select User Group / Organization” window, select the user group on the User Group tab and the organization in the Organization tab.


• AD/LDAP Sync: Allow creating user accounts from the AD/LDAP system.


• Additional Information: Enter the following additional information for the user.– Employee No.: Enter the employee number.– First / Middle / Last Name: Enter the first, middle, and last names.– Display Name: Enter the desired name to be displayed on EMM.– Department: Enter the department name.– Administrator DN: Enter the administrator DN.– Email User Name: Enter the user’s email name.


– Phone: Enter the phone number.– UPN: Enter the user principal name (UPN).– Position: Enter the job position.– Site: Enter the site name.– Security Level: Enter the security level.– User-Defined 1–3: Enter the desired user-defined parameter.

4. Click Save & Request Enrollment to save the modified user account information and send enrollment guides via email.

• Click Save to save the modified user account information and not send an installation guide to the user.

5. In the “Save & Request Enrollment” window, click OK.

Sending device commands to users

You can send device commands to the user’s enrolled devices. For more information on each device command, see Sending device commands to devices.

To send device commands, complete the following steps:


2. On the “User” page, click the checkbox next to the user ID to send a device command to.

3. Click Device Command and select the supported OS platform (enrolled device).

4. In the “Device Command” window, select a desired device command.

5. In the “Request Command” window, click OK.


Sending enrollment guides to users via email and SMS

To provide users with installation guides to allows users to enroll their devices, you can send the following guides to users:

Via Guide name Description

Email Installation guide Provides the Knox Manage Agent installation links and QR codes for Android Direct Installation, Android Knox Mobile Enrollment (KME), and for all of the different OS platforms.

SMS

Public store URL address (including QR codes)

User credential guideProvides the Knox Manage application login information.

UMC (Universal MDM Client) guide

Provides the information needed for users to install Knox Manage through the Universal MDM Client (UMC) pre-loaded on Android devices.

KME (Knox Mobile Enrollment) guide

Provides the KME program guides for users who have enrolled their devices through KME.

Users can download and install the Knox Manage application from public stores or using the QR code. Once users connect to the Internet and log in to Knox Manage with their user ID and password, the devices are automatically enrolled.

To send enrollment guides to users via email and SMS, complete the following steps:


2. On the “User” page, click the checkbox next to the user ID you want to send enrollment guides to, and then click Request Enrollment.

Note To send enrollment guides to users via SMS, the mobile numbers of the users must be registered to their accounts.

3. In the “Request Enrollment” window, click the checkboxes for the guides to send, and then click OK.

• Click to view the preview of the selected guideline.


Sending templates or user notifications to users via email

To send templates or user notifications registered in Knox Manage to users via email, complete the following steps:


2. On the “User” page, click the checkbox next to the user ID you want to send enrollment guides to, and then click Send Email.

3. In the “Send Email” window, select a template file from the template list, and then click Send.

• Click to view a preview of the selected template.

Note For more information on templates, see Managing message templates.

Changing the user account password

To change the user account password, complete the following steps:


2. On the “User” page, click a user name to change its password.

3. On the “User Detail” page, click Change Password.

4. In the “Change Password” window, enter the following user password information:

• New Password: Enter a new password between 8 and 30 characters. The password must be a combination of letters, numbers and special characters.

• Confirm Password: Repeat the new password.

5. Click Save.

• Click the checkbox next to Reset after sign-in to allow the user to change the password when logged in first.


Resetting the user account password

To reset the user account password, complete the following steps:


2. On the “User” page, click a user name to reset its password.

3. On the “User Detail” page, click Reset Password.

4. In the “Reset Password” window, click OK.

• A temporary user account password will be sent to the user via email.

Deleting user accounts

To delete user accounts, complete the following steps:

Note To delete a user account, the status of all the devices must be “Disconnected,” “Expired,” or “Unenrolled.”


2. On the “User” page, click the checkbox next to the user ID you want to delete, and then click Delete.

3. In the “Delete User” window, click OK.


Viewing the organization listNavigate to Organization to view all the organizations registered in the Knox Manage Admin Portal on the “Organization” page. You can also perform specific functions to the selected organizations among the list.

1

2 3



1 Search field Search for a desired organization.

2Function buttons

Add

Add a sub-organization in the parent organizations individually, or add a sub-organization by synchronizing organizations with the Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) system. For more information, see Adding an organization.

Add Sub-Org

Add a sub-organization to the selected organization individually, or add a sub-organization by synchronizing organizations with the Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) system.

Apply Latest Profile

Apply the latest assigned profile to the selected organization. For more information, see Applying the latest profiles to organizations.

ModifyModify the selected organization details. For more information, see Modifying the organization details.

DeleteDelete the selected organization. For more information, see Deleting the organizations.

Application (Assign)

Assign applications to the selected organization. For more information, see Assigning applications to organizations.

Profile (Assign)

Assign profiles to the selected organization. For more information, see Assigning and applying profiles to organizations.

Content (Assign)

Assign content to the selected organizations. For more information see Assigning and distributing content to organizations.

3 Organization list View the brief information of the organizations on the list.


Viewing the organization detailsView each organization’s details by clicking an organization name on the organization list. For more information about each section of the detail page, see Detail page.

Summary area

The summary area contains the information about the selected organization such as organization settings, user’s device types and detailed information.

Tab: User

The User tab shows the user account information in the organization.

• Detail: Move to the “User Detail” page for the selected user. For more information on the “User Detail” page, see Viewing the user details.



Add Add users to the selected organization.

Change OrganizationMove the selected users to other existing organizations. For more information, see Changing user’s organizations.

Send EmailSend templates or user notifications registered in the Knox Manage Admin Portal to users via email. For more information, see Sending templates or user notifications to users via email.

Request Enrollment

Send installation guides to the selected users via email and SMS. For more information, see Sending enrollment guides to users via email and SMS.


Delete UserDelete the selected users from the organization. If a user in the organization is deleted, the user will be moved to the “Undefined” organization.


Tab: Device

The Device tab shows the enrolled device information of users in the organization.

• Detail: Move to the “Device Detail” page for the selected device. For more information on the “Device Detail” page, see Viewing the device details.

The following function button is available:


Refresh Update the list of devices.

Tab: Application

The Application tab shows the applications assigned to the organization. The following function buttons are available:


Unassign Unassign the application assigned to the organization.

Modify SettingModify the settings for the selected application. For more information, see Modifying applications.

Tab: Profile

The Profile tab shows the profiles assigned or applied to the organization.


Unassign Unassign the profile assigned to the organization.

Tab: Content

The Content tab shows the content assigned to the organization.

• See Deploy Area: View the areas where the content is distributed. For more information, see Assigning and distributing content to organizations.


Unassign Unassign the content assigned to the organization.



You can perform specific functions to the organization using the function buttons in the footer.



Back Return to the organization list.

DeleteDelete current organization. The profile assigned to the organization will be unassigned from the users.

ModifyModify the organization details. For more information, see Modifying the organization details.

Assign Assign applications, profiles, or content to the selected organizations.

Apply Latest Profile Apply the latest assigned profiles to the selected organizations.

Managing organizationsConfigure the hierarchy of organizations for users and apply various profiles to each organization. After configuring the organizations and assigning the users to each organization, you can view the information on user account, enrolled devices, applications, and profiles by organization.

Adding an organization

Create a sub-organization in the parent organizations individually, or add a sub-organization by synchronizing organizations with the Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) system.

To add a sub-organization, complete the following steps:

1. Navigate to Organization.

2. On the “Organization” page, click Add.

3. On the “Add Organization” page, enter the following user information:

• Parent Organization: Select the parent organization to add a sub-organization to.

• Inheritable Profile: Displays the profiles inherited with the parent organization. If there is no inheritable profiles, “None” is displayed.


Note The applications assigned to the parent organization will not be inherited.

• Code: Enter a new organization code that complies with the organization format.

Note Once the organization code is saved, you cannot change it.

• Name: Enter a new organization name.

• AD/LDAP Sync: Allow the creating of organizations from the AD/LDAP system. If AD/LDAP Sync is selected, the existing organization information, including its sub-organizations, will be synchronized from the AD/LDAP system and registered to the Admin Portal.

Note To create AD/LDAP organizations, you must connect AD/LDAP directory services with Knox Manage and add a sync service. For more information about adding a sync services, see Adding sync services.

• Android Manage Type: Select the Android enrollment type between Android Legacy and Android Enterprise.

• Sub-Administrator: Select the administrators to manage the organization. If you log in to the Admin Portal for the first time as a super administrator, there will be no subadministrators registered to the Admin Portal. For more information on creating subadministrators, see Adding an administrator.

4. Click Save & Assign, and in the “Save & Assign” window, click Application, Profile, or Content to select what to assign to the organization.

• Application: Select the applications to assign to the organization, and then modify the application settings.

• Profile: Select the profiles to assign to the organization, and then view the selected profile details.

• Content: Select the content to assign to the organization.

• Click Save to register the organization.

Modifying the organization details

After you create an organization, you can modify the organization information.

To modify the organization information, complete the following steps:



2. On the “Organization” page, click the checkbox next to the desired organization to modify its details, and then click Modify.

• To expand or collapse the parent organization, click or next to the organization name. You can also double-click the row of the desired organization to expand or collapse it.

3. In the “Modify Organization” window, modify the following existing organization information:

• Code: Displays the organization’s code.

Note Once the organization code is saved, you cannot change it.

• Name: Enter a new organization name.

• Parent Organization: Select the parent organization to add a sub-organization.

• Inheritable Profile: Displays the profiles inherited with the parent organization.

• AD/LDAP Sync: Allow creating organizations from the AD/LDAP system.

• Android Manage Type: Select the Android enrollment type between Android Legacy and Android Enterprise.

• Sub-Administrator: Click Select to add sub-administrators to the organization.

4. Click Save.

Changing user’s organizations

You can change a user’s organizations to the desired organizations.

To change a user’s organizations, complete the following steps:


2. On the “Organization” page, click a specific organization name to move the user between organizations.

NoteTo expand or collapse the parent organization, click or next to the organization name. You can also double-click the row of the desired organization to expand or collapse it.

3. On the “Organization Detail” page, click the User tab.

4. On the User tab, click the checkboxes next to the user IDs, and then click Change Organization.


5. In the “Select Organization” window, click the desired organization in the tenant tree, and then click OK.

NoteClick or to expand or collapse the parent organization.

Assigning applications to organizations

After applications are registered to the Admin Portal, you can assign them to specific organizations.

To assign applications to organizations, complete the followings steps:


2. On the “Organization” page, click the checkbox next to the organization name you want to assign the application to, and then click Application next to Assign.

3. In the “Select Application” window, click the checkboxes next to the applications to assign, and then click Assign.

Note You can also click Manage Control App to add additional applications to the list. For more information on adding control applications, see Managing applications for specific purposes.

4. On the “Assign Application” page, configure the assignment settings, and then click Assign.

Note Settings for applications to an organization vary depending on the applications supported by each target device’s OS platform. For more information on configuring settings for assigning applications, see Assigning applications.

5. In the “Assign Application” window, click OK.


Assigning and applying profiles to organizations

After profiles are registered to the Admin Portal, you can assign and apply them to specific organizations.

To assign and apply profiles to organizations, complete the followings steps:


2. On the “Organization” page, click the checkbox next to an organization name you want to assign and apply the profile to, and then click Profile next to Assign.

3. In the “Select Profile” window, select the profile to assign, and then click Assign.

Note For more information on assigning and applying profiles, see Assigning to organizations.

4. On the “Assign Profile” page, click Assign & Apply.

• Click Assign to assign the profile to the selected organizations and to not apply the profile now.

5. In the “Apply Profile” window, click OK. The profile will be assigned and applied to the selected organizations at the same time.

Applying the latest profiles to organizations

Apply the latest assigned profile to an organization.

To apply an assigned profile to an organization, complete the following steps:


2. On the “Organization” page, click the checkbox next to the organization name you want to apply the latest profile to, and then click Apply Latest Profile.

3. In the “Apply Profile” window, click OK.


Assigning and distributing content to organizations

After content is uploaded to the Admin Portal, you can assign and distribute it to specific organizations.

To assign or distribute content to organizations, complete the following steps:


2. On the “Organization” page, click the checkbox next to the organization name you want to assign and distribute content to, and then click Content next to Assign.

3. In the “Select Content” window, click the checkboxes for the content items, and then click Assign & Deploy.

• Click Assign to assign the content to the selected organizations and not to distribute it now.

Deleting the organizations

To delete organizations, complete the following steps:


2. On the “Organization” page, click the checkbox next to the organization name you want to delete, and then click Delete.

Note If you delete a parent organization that has sub-organizations, the sub-organizations will become parent organizations.

3. In the “Delete Organization” window, click OK.


Viewing the group listNavigate to Group to view all the groups registered in the Knox Manage Admin Portal on the “Group” page. You can also perform specific functions to the selected groups among the list.

1

2

3


1 Search field Search for a desired group.

2Function buttons

AddAdd a group of users or devices. For more information, see Registering a group.

Add via AD/LDAP

Add a group from existing employee information by synchronizing it with the AD/LDAP system. For more information, see Registering an AD/LDAP sync group.

Device Command

Send device command requests to the enrolled devices in the group. For more information, see Sending device command requests to groups.

Check Location

Check the locations of each enrolled device in the group For more information, see Checking the locations of the devices in the group.

DeleteDelete the selected group. For more information, see Deleting the groups.

Application (Assign)

Assign applications to the selected groups. For more information, see Assigning applications to groups.

Profile (Assign)

Assign profiles to the selected groups. For more information, see Assigning and applying profiles to groups.

Content (Assign)

Assign content to the selected groups. For more information see Assigning and distributing content to groups.

3 Group list View the brief information of the groups on the list.


Viewing the group detailsView each group’s details by clicking a group name on the group list. For more information about each section of the detail page, see Detail page.

Summary area

The summary area contains the information about the selected group such as group and user’s device types.

• Modify Setting: Modify the sync settings of the current AD/LDAP group. In the “Modify Sync Setting” window, enter the following information:

– AD/LDAP Sync: Enable or disable sync services.

– Sync Group Member: Select whether sync all users or only the selected users of the group. (Do Not Sync, Sync All, Sync Selected Only)

– Profile/App Auto Apply: Select when to apply a profile or application to a group member automatically. (When Adding a User, When Deleting a User, When Deleting a Group)

Tab: User (For user or AD/LDAP groups)

The User tab for user groups shows the information of the user accounts in the group.




AddAdd a user to the group from the user list. For more information, see Adding users to user groups.




Request Enrollment



Delete User

Delete the selected user from the group.

Note You cannot delete users from the AD/LDAP group.

Tab: User (For device groups)

The User tab for device groups shows the information of the user’s devices and user accounts in the group.





Request Enrollment



Tab: Device (For user or AD/LDAP groups)

The Device tab for user groups shows the device status and information of the user’s devices in the group.

• Detail: Move to the “Device Detail” page for the selected user’s device. For more information on the “Device Detail” page, see Viewing the device details.


The following function button is available:



Tab: Device (For device groups)

The Device tab for device groups shows the device status and information of the user’s devices in the group.

• Detail: Move to the “Device Detail” page for the selected device. For more information on the “Device Detail” page, see Viewing the device details.




AddAdd a device from the device list to the group. For more information, see Adding devices to device groups.

Delete Delete the selected device from the group.

Tab: Application

The Application tab shows the applications assigned to the group. The following function buttons are available:


Unassign Unassign the applications assigned to the group.

Modify Setting Modify the settings of the applications assigned to the group.

Tab: Profile

The Profile tab shows the profiles assigned to the group. The following function buttons are available:


Unassign Unassign the profiles assigned to the group.


Tab: Content

The Content tab shows the content assigned to the group.

• See Deploy Area: View the areas where the content is distributed. For more information, see Assigning and distributing content to groups.


Unassign Unassign the content assigned to the group.

Tab: Command History

The Command History tab shows the command histories of the group.

• Detail: Move to the “Device Detail” page for the selected user’s device. For more information, see Viewing the device details.


You can perform specific functions to the group using the function buttons in the footer.



Back Return to the group list.

Delete Delete the selected group.

Sync Sync the current AD/LDAP group.

Assign Assign applications, profiles, or content to the selected group.

Check LocationSelect the device to view its location on the mobile ID list and view the device location on the map. For more information, see Checking the locations of the devices in the group.

Apply Latest Profile Apply the latest assigned profiles to the selected group.

Device CommandSelect a device command and send it to the enrolled devices in the selected group.


Creating groups of users or devicesA group can be composed either of users or devices. Once a group is created, you can assign and apply applications and profiles to the group of users or devices. Create a group directly in the Admin Portal or from existing employee information by synchronizing it with the Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) system.

Registering a group

To create a group of users or devices, complete the following steps:

1. Navigate to Group.

2. On the “Group” page, click Add.

3. On the “Add Group” page, enter the following user information:

• Name: Enter a group name.

• Type: Select one of the following group types.– User: A group composed of user accounts only– Device: A group composed of devices only

4. On the user or device list, click the checkboxes next to the user IDs or device names to include them in the group. After the users or devices are selected, they will be displayed on the selected user or selected device list.

• You can also search for and select devices using filters. In the “Selected Device” area, click Select via Filter, and then click the checkboxes for the filters you want to apply, such as user status, position, and security level. Filtered devices will be added to the selected device list.

5. Click Save & Assign, and in the “Save & Assign” window, click Application, Profile, or Content to select what to assign or deploy to the group.

• Application: Select the applications to assign to the group, and then modify the application settings.

• Profile: Select the profiles to assign to the group, and then view the selected profile details.

• Content: Select the content to assign to the group.


Registering an AD/LDAP sync group

To create a group from existing employee information by synchronizing it with the AD/LDAP system, complete the following steps:


2. On the “Group” page, click Add via AD/LDAP.

3. In the “Select Sync Target” window, enter the AD/LDAP group information:

• Sync target: Select a synchronization service to search for groups. If you have selected a synchronization service, the relevant filter is automatically entered.

• Keyword Search: Enter a keyword to search for groups within the selected range, and then click Search.

4. Select a group from the search result, and then click OK.

5. On the “Add AD/LDAP Group” page, enter the following group information:

• Sync target: Click Select to open the “Select Sync Target” window. For more information, see step 3.

• Group Name: Enter a group name.

• Profile/App Auto Apply: Select when to apply a profile or application to a group member automatically. (When Adding a User, When Deleting a User, When Deleting a Group)

• Sync Group Member: Select whether sync all users or only the selected users of the group.– Sync All: Sync all members of the group.– Sync Selected Only: Sync only the selected members of the group.

6. Click Save.


Managing groupsAfter configuring the groups of users or devices, apply various profiles to each group. You can also view the detailed information of the user account, devices, device locations, applications, and profiles by group.

Adding users to user groups

After creating a user group, you can add users to it.

To add users to a user group, complete the following steps:


2. On the “Group” page, click a specific user group name to add users to.

Note The group type must be User.

3. On the “Group Detail” page, click the User tab.

4. On the User tab, click Add.

5. In the “Select User” window, click the checkboxes next to the user ID to select users to add and then, click Add. To delete the selected users on the selected user list, click .

6. In the “Add User” window, click Yes.

Note To apply the changed group’s profile to the added or deleted user’s devices, select Yes.


Adding devices to device groups

After creating a device group, if required, you can add devices to the desired device group.

To add devices to a device group, complete the following steps:

1. Navigate to Groups.

2. On the “Group” page, click a specific device group name to add devices to.

Note The group type must be Device.

3. On the “Group Detail” page, click the Device tab.

4. On the Device tab, click Add.

5. In the “Select Device” window, click the checkboxes next to the device name to select devices to add, and then click Add. To delete the selected devices on the selected device list, click .

• You can also search for and select devices using filters. In the “Selected Device” area, click Select via Filter, and then click the checkboxes for the filters you want to apply, such as user status, position, and security level. Filtered devices will be added to the selected device list.

6. In the “Add Device” window, click Yes.

Note To apply the changed group’s profile to the added or deleted user’s devices, select Yes.

Assigning applications to groups

After applications are registered to the Admin Portal, you can assign them to specific groups.

To assign applications to groups, complete the followings steps:


2. On the “Group” page, click the checkbox next to the group name you want to assign the application to, and then click Application next to Assign.

3. In the “Select Application” window, click the checkboxes next to the applications to assign, and then click Assign.

Note You can also click Manage Control App to add additional applications to the list. For more information on adding control applications, see Managing applications for specific purposes.


4. On the “Assign Application” page, configure the assignment settings, and then click Assign.

Note Settings for applications to a group vary depending on the applications supported by each target device’s OS platform. For more information on configuring settings for assigning applications, see Assigning applications.

5. In the “Assign Application” window, click OK.

Assigning and applying profiles to groups

After profiles are registered to the Admin Portal, you can assign and apply them to specific groups.

To assign and apply profiles to groups, complete the followings steps:


2. On the “Group” page, click the checkbox next to the group name you want to assign and apply the profile to, and then click Profile next to Assign.

3. In the “Select Profile” window, select the profile to assign, and then click Assign.

Note For more information on assigning and applying profiles, see Assigning to groups.

4. On the “Assign Profile” page, click Assign & Apply to assign and apply the profile to the selected groups at the same time.

• Click Assign to assign the profile to the selected groups and not to apply the profile now.


Assigning and distributing content to groups

After content is uploaded to the Admin Portal, you can assign and distribute them to specific groups.

To assign and distribute content to groups, complete the following steps:


2. On the “Group” page, click the checkbox next to group name you want to assign and distribute content to, and then click Content next to Assign.

3. In the “Select Content” window, click the checkboxes for the content items, and then click Assign & Deploy.

• Click Assign to assign the content to the selected groups and not distribute them now.

4. In the “Assign & Deploy Content” window, click OK.

Sending device command requests to groups

You can send device command requests to the user’s enrolled devices. For more information on each device command, see Sending device commands to devices.

To send device command requests, complete the following steps:


2. On the “Group” page, click the checkbox next to the group name to send a device command request to.

3. Click Device Command and select the supported OS platform or manage type (enrolled device).

4. In the “Device Command” window, select a desired device command.

5. In the “Request Command” window, click OK.


Checking the locations of the devices in the group

You can check the locations of each enrolled device in the group.

To check the device locations, complete the following steps:


2. On the “Group” page, click the checkbox next to the group name to view the locations of the enrolled devices in the group, and then click Check Location.

3. In the “Check Location” window, click a desired activated device on the device list and view its detailed location information, such as its latitude, longitude, and altitude, over the last 30 days.

Deleting the groups

To delete groups, complete the following steps:


2. On the “Group” page, click the checkbox next to the group name you want to delete, and then click Delete.

3. In the “Delete Group” window, click Yes.

Note To maintain the assigned applications and profiles of this group for the user, select No. To unassign the applications and profiles of this group from the user, select Yes.


Syncing user information with AD/LDAPAdd information about users, groups, and organizations to the Knox Manage server through the Active Directory (AD) service that is built upon the industry-standard Lightweight Directory Access Protocol (LDAP). This service enables you to keep user, organizational, and group information synchronized across multiple sites throughout the enterprise and update information on demand or automatically at specified intervals.

The AD/LDAP service provided by Knox Manage includes filtered search capabilities for viewing user information and historical data about sync services. For synchronizing Knox Manage data between the enterprise and cloud servers, SAMSUNG provides the Cloud Connector secure data transfer channel. For more information, see Using Cloud Connector.

User Devices

Firewall

AD/LDAP

Knox ManageCloud

Connector


Adding sync services

Add AD/LDAP directory services in Knox Manage to synchronize user, organizational, and group information. Once added, you can sync through the corresponding menus in User, Group, and Organization.

To add a sync service, complete the following steps:

1. Navigate to Advanced > AD/LDAP Sync > Sync Service.

2. On the “Sync Service” page, click Add.

3. On the “Add Sync Service” page, enter information required for specifying the basic information about a sync service.

• Sync Service Name: Enter the sync service name (up to 25 characters consisting of letters, numbers, and special characters (- or _ only). It will be used to distinguish each sync service and also used when selecting sync services in User, Group, and Organization.

• Target: Click the checkbox next to User, Group, or Organization as the target information to retrieve from the directory through the sync service.

• Scheduler: Select Use next to Scheduler to use automatic synchronization and enter the schedule and iteration cycle in the Schedule tab below:– Time Zone: Click the drop-down menu and select the time zone to use for the automatic

synchronization. You can change the default in Setting > Configuration > Basic Configuration.

– Sync Interval: Click the drop-down menu and select a sync service interval: Once, Hourly, Daily, Weekly, Monthly, or Advanced Settings. If you select Advanced Settings, set a regular interval in month, week, day, or hour format using cron expressions.

– Time: Set the start time for the sync service.– Start Date: Set the start date for the sync service.– Target of Scheduler: Click the checkbox next to User, Group, or Organization as the target

information to retrieve from the directory through the scheduled sync service.

4. Click the Server tab and enter information required for specifying the LDAP server information.

• Directory Type: Select a directory. Select Other when connecting to other directory servers except the Microsoft Active Directory.

• IP/Host: Enter the IP or host address of the directory, and the TCP port number for communicating with the directory server. The default port number used for unencrypted communication with the directory server is 389.


• Encryption Type: Select None (No encryption), SSL (Secured Socket Layer), or TLS (Transport Layer Security) as the encryption method for the internet communication protocol used for communicating with the directory server.

• Auth Type: Select None, Simple, DIGEST-MD5(SASL), or CRAM-MD5(SASL) as the authentication method used when establishing a connection with the directory server. After selecting DIGEST-MD5(SASL) or CRAM-MD5(SASL), fill out the Authentication details field for the chosen Auth Type as follows:

Auth Type Description

DIGESTMD5(SASL)/CRAMMD5(SASL)

Configure the settings for Simple Authentication and Security Layer (SASL), a telnet-based protocol:

• SASL Realm: Enter the realm value of the SASL server in domain format (e.g., sample.com).

• Quality of Protection: Select the quality of the data protection from the followings.– Authentication Only: Protect data only upon authentication.– Authentication with integrity: Ensure integrity of all the data

exchanged, as well as authentication.– Authentication with integrity and privacy: Ensure integrity of all data

exchanges, as well as authentication through data encryption.

• Protection Strength: Select a data protection level, and determine whether or not mutual authentication should be performed when exchanging data.– High: Use 128-bit encryption.– Medium: Use 56-bit encryption.– Low: Use 40-bit encryption.– Mutual Authentication: Click the checkbox next to Mutual

Authentication to ensure data validity by inserting the key into the data exchanged between the client and server.

• User ID: Enter the administrator information of the directory server in the following forms:– domain/administrator ID,– administrator ID @ domain,– or CN = administrator ID, CN = Users, DC = domain, and DC = com.

• Password: Enter the user ID’s password.

5. Click the User, Group, or Organization tab according to your selection in Target in the Preferences tab, and then enter the following information:

• For more information on the User tab, see Customizing user information.

• For more information on the Group tab, see Customizing group information.

• For more information on the Organization tab, see Customizing organization information.


6. Click Save & Sync.

7. In the “Save & Sync Service” window, click OK.

• Click View next to Expected Sync Result to preview the sync result before starting sync.

Customizing user information

Customize user information on the User tab in the “Add Sync Service” window.

To customize the user information when adding the sync service, complete the following steps:



3. On the “Add Sync Service” page, enter information required for specifying the basic information about a sync service. For more information, see Adding sync services.

Note When entering the information on the “Add Sync Service” page, you must select User for the sync service target.

4. Click the User tab, and then enter the following information:

• Base DN: Click Select to open the “Select Base DN” window and select a starting location for searches in the directory server. Entering a Base DN value can reduce the time required to search for data by limiting searches to a specific location.– Selected DN: Shows the selected DN (Distinguish Name).

• Filter: Click Select to open the “Select Object Class” window and select an Object Class and attributes for the LDAP Syntax string that will be used to filter search results. For more information about setting filters, see Adding a directory connector.– Recommended Properties: Displays the recommended properties of the selected object

class.– Return Value: Displays the LDAP Syntax of the selected property information and object

class.– Default: Select the object class name defined by default as a filter.– Custom: Select the object class name defined by connected directory server as a filter.

• Sync Target: Select to add specific targets that are not already specified as targets for the sync service.– Directly Select (Recommended): Click Select to open the “Select Sync Target” window and

select the desired target.– All in Config: All users are selected.


• Auto Deploy: Profiles are automatically applied to the user devices when organization information is changed.

• Permanent Delete: Select how to process users who have been deleted from the directory server in Knox Manage.– Keep: Select to keep the user’s data in Knox Manage.– Delete: Select to clear the user’s data from Knox Manage. Deleted users are then added to

the list of Sync exceptions. To view this list, navigate to Advanced > AD/LDAP Sync > Sync Service, and on the “ Sync Service” page, click Manage Sync Exception and view Exception Type with a value of Deleted (Source).

5. Click next to Detail in the Mapping Information area and enter information for mapping the user attributes of the directory server and the user attributes entered when registering user accounts in Knox Manage. The most common values of a directory server are entered automatically, but you can change them according to the directory server.

• User ID: Enter a user ID up to 220 characters.

• User Name: Enter the user’s login name that will be used for the Windows domain. Enter the UPN in “User’s login name@domain_name” format.

• Employee No.: Enter the employee’s number.


• Mobile No.: Enter the user’s mobile number.

• DN (Distinguished Name): Enter the unique name of the LDAP object.

• Object Identifier: Enter the ID used to distinguish the synced user.

• Organization: Enter the organization name.

• Status: Enter the status of the user account.

• Last Updated Date: Enter the last date when the user information was updated.

• Created Date: Enter the date when the user was created.

• First Name: Enter the user’s first name.

• Middle Name: Enter the user’s middle name.

• Last Name: Enter the user’s last name.

• Display Name: Enter the user’s display name.

• Department: Enter the user’s department.

• Administrator DN: Enter the unique name of the administrator.

• Email User Name: Enter the user’s email username.

• Contact: Enter the contact information.

• UPN: Enter the User Principal Name (UPN).


• User Identifier: Enter the name used to distinguish the synced user.

• Default Country Code: Enter the default country code.

• Organization Code: Enter the organization code.

• Position Code: Enter the position code.

• Site: Enter the site information.

• Security Level: Select a security level for the user.

• User Certificate: Select a user certificate.

• User-Defined 1: Enter a user defined value.



Note • Click Select to the right of each item to search for the attributes defined in the directory server.

• Click Refresh to the right of each item to reset the saved values back to the default values.

• Click the checkbox next to User Static Input Value to delete the default mapped values and to allow you to enter values manually.





Customizing group information

Customize group information on the Group tab in the “Add Sync Service” window.

To customize the group information when adding the sync service, complete the following steps:




Note When entering the information on the “Add Sync Service” page, you must select the sync service target as Group.

4. Click the Group tab, and then enter the following information:

• Base DN: Click Select to open the “Select Base DN” window and select a starting location for searches on the directory server. Entering a Base DN value can reduce the time required to search for data by limiting searches to a specific location.

• Filter: Click Select to open the “Select Object Class” window and select an Object Class and attributes for the LDAP Syntax string that will be used to filter search results. For more information about setting filters, see Adding a directory connector.


select the desired target.– All in Config: All groups are selected.

• Permanent Delete: Select how to process groups which have been deleted from the directory server in Knox Manage.– Keep: Select to keep the group’s data in Knox Manage.– Delete: Select to clear the group’s data from Knox Manage. Deleted groups are then added to

the list of Sync exceptions. To view this list, navigate to Advanced > AD/LDAP Sync > Sync Service, and on the “ Sync Service” page, click Manage Sync Exception and view Exception Type with a value of Deleted (Source).


5. Click next to Detail in the Mapping Information area and enter information for mapping the group attributes of the directory server and the group attributes entered when registering groups in Knox Manage. The most common values of a directory server are entered automatically, but you can change them according to the directory server.

• Group Name: Enter the name for the group.

• Member: Select a member for the group.

• Organization: Select the organization to which the group belongs. If left unspecified, the group will not belong to any organization.

• DN (Distinguished Name): Enter the unique name of the LDAP object.

• Object Identifier: Enter the ID used to distinguish the synced group.

• Group Identifier: Enter the name used to distinguish the synced group.







Customizing organization information

Customize organization information on the Organization tab in the” Add Sync Service” window.

To customize the organization information when adding the sync service, complete the following steps:




Note When entering the information on the “Add Sync Service” page, you must select the sync service target as Organization.


4. Click the Organization tab, and then enter the following information:

• Base DN: Click Select to open the “Select Base DN” window and select a starting location for searches on the directory server. Entering a Base DN value can reduce the time required to search for data by limiting searches to a specific location.

• Filter: Click Select to open the “Select Object Class” window and select an Object Class and attributes for the LDAP Syntax string that will be used to filter search results. For more information about setting filters, see Adding a directory connector.


select the desired target.– All in Config: All organizations are selected.

• Permanent Delete: Select how to process organizations which have been deleted from the directory server in Knox Manage.– Keep: Select to keep the organization’s data in Knox Manage.– Delete: Select to clear the organization’s data from Knox Manage. Deleted organizations are

then added to the list of Sync exceptions. To view this list, navigate to Advanced > AD/LDAP Sync > Sync Service, and on the “ Sync Service” page, click Manage Sync Exception and view Exception Type with a value of Deleted (Source).

5. Click next to Detail in the Mapping Information area and enter information for mapping the organization attributes of the directory server and the organization attributes entered when registering organizations in Knox Manage. The most common values of a directory server are entered automatically, but you can change them according to the directory server.

• Organization Code: Enter the organization code.

• Organization Name: Enter the organization name.

• Member: Enter the member of the organization.

• Organization: Enter the member’s organization.

• DN: Enter the unique name of the organization.

• Object Identifier: Enter the ID used to distinguish the synced organization.

• Organization Identifier: Enter the name used to distinguish the synced organization.

• Company Number: Enter the company number.

• Upper Organization Code: Enter the code for an organization in a higher tier than the organization to which the user belongs. It allows synchronizing the organization by maintaining the hierarchical relationships in the organization chart.


• Department Head ID: Enter the ID of the department head.

• Department Head Name: Enter the name of the department head.

• Department Head Position: Enter the position of the department head.

• Display Order: Enter the display order.







Viewing a list of sync services

After adding sync services, you can view the available sync services in a list.

From the Sync Services list, view the following information of each sync service ID:

• Sync Service Name: Click to view the preferences, entered users, and organizational and group information of the sync service.

• Target: Check the target to be retrieved from the directory server.

• Scheduler: Check if automatic synchronization on schedule is in use.

• Sync Status: Check the status of the sync service. If the sync service is in progress, “In Progress” appears, and if the sync service is scheduled to sync at a specific time, “Waiting” appears.

• Sync Interval

• Last Updated

From the Sync Services list, click the checkbox for a sync service and click Sync to synchronize data immediately. For more information, see Running a sync service on demand.


Changing the sync targets

Enable or disable sync services by user, organization, or group. The sync targets are identical to the ones that are set as AD/LDAP on the User, Organization, or Group page.


2. On the “Sync Service” page, click a sync service name.

3. In the User, Group, or Organization tab on the “Sync Service Detail” page, click the checkbox for a sync service and click Enable Sync.

• Click Disable Sync to exclude from the sync targets.

4. In the User, Group, or Organization tab, click Add to add a sync target.

Viewing sync results

Navigate to the User, Group, or Organization tab to view users, organizations, or groups added to Knox Manage after running a sync service.

• User: View the targets set to AD/LDAP under Type.

• Organization: View the targets set to AD/LDAP under Type.

• Group: View the targets set to AD/LDAP under Type.


Running sync services

Synchronization occurs automatically according to the schedule specified. The Sync Interval value can be set while adding a sync service (see Adding sync services). You can also perform on-demand synchronization at any time and can also add additional targets while doing so. The pop-up window that appears when running an on-demand sync service shows the expected number of targets, which helps you determine whether or not to run the synchronization.

Running a sync service automatically

Synchronize data automatically on the schedule specified. When adding or modifying sync services, select Use next to Scheduler and specify schedules for automatic synchronization. For more details, see Adding sync services.

• The history of the sync service can be viewed in Advanced > AD/LDAP Sync > Sync History.

Running a sync service on demand

Synchronize data on demand at any point in time by choose to synchronize the targets already specified for a service or adding, modifying, or deleting targets as needed.

To run a sync service on demand, complete the following steps:


2. On the “Sync Service” page, click the checkbox for a sync service and click Sync.

3. In the “Sync” window, select a sync target type, select to preview the sync result before starting sync, and click OK.

4. In the “Expected Sync Results” window, check the expected synced targets and click OK.

Note Navigate to Advanced > AD/LDAP Sync > Sync History to view the history of the sync service.


Viewing sync exceptions

Navigate to Advanced > AD/LDAP Sync > Sync Service, and on the “ Sync Service” page, click Manage Sync Exception to view all the list of users, organizations and groups that are excluded from the sync service in the “Manage Sync Exception” window.

The sync exceptions list is sorted and managed according to the Exception Type.

• Deleted (EMM): Targets that are deleted manually by the administrator

• Deleted (Source): Targets that have been deleted from the directory server and, therefore, also deleted in Knox Manage. This exception applies when you set the Permanent Delete option to Delete in the User, Group, or Organization tab on the “Add Sync Service” page.

• Deleted (Synchronized Group): Target groups that have been deleted from the directory server and, therefore, also deleted in Knox Manage. This exception applies when you select Yes next to Sync Group Member in the Group tab on the “Add Sync Service” page.

• Duplicated: A user, group, or organization with the same ID exists in Knox Manage.

• Rejected: A group or organization has been specifically excluded from synchronization in Knox Manage, because the AD/LDAP Sync checkbox is not checked in the group and organization information in Group or Organization.

• Inappropriate: Targets whose registered information in the directory server is not appropriate for Knox Manage’s architecture.

Restoring sync exceptions

View exceptions by Exception Type and restore them. When restoring exceptions for a target, synchronization begins immediately. Once synchronized, the target appears in the list of synchronized targets.

To restore a sync exception, complete the following steps:


2. On the “ Sync Service” page, click Manage Sync Exception.

3. In the “Manage Sync Exception” window, click the checkbox next to the target and click Delete & Sync Service to restore it.

4. In the “Delete & Sync Service” window, click OK.


Deleting sync exceptions

Targets that have been removed from the list of Sync exceptions are added to the list of sync targets for the relevant sync service again. They will be synchronized automatically according to the schedule or when you set to synchronize them on demand.

To delete a sync exception, complete the following steps:


2. On the “ Sync Service” page, click Manage Sync Exception.

3. In the “Manage Sync Exception” window, enter a target ID or target type and click .

• Exception Type: The sync exceptions list is sorted according to the Exception Type.

• Target ID: The Sync exception ID such as user ID, group, ID, or organization name.

• Integration System ID: The base DN of the directory server set for the sync service.

• Target Type: The Sync exception type, such as a user and group.

• Service Name: The sync service name used to distinguish each sync service.

• Last Updated: The last date when the sync exception was created.

4. Click the checkbox next to the target and click Delete.

5. In the “Delete” window, click OK.

Once an exception is deleted, the target is added to the list of sync targets for the relevant sync service again, and will be synced automatically according to the schedule. For more information on running the sync service immediately, see Running a sync service on demand.


Viewing sync history

You can search for a history of previously-run sync services by sync type or period. To search for a sync history, complete the following steps:

1. Navigate to Advanced > AD/LDAP Sync > Sync History.

2. On the “Sync History” page, set the request date, select a task type, enter a sync service name, and click Search.

3. Click Detail on the row of the relevant service to view additional details. You can view the history of changes made to the sync service, users, organizations, and groups by tab.

user/group/ organization - samsung...

Documents